diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index 12f53e319..265490003 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -322,7 +322,7 @@
Port Knocking and Other Uses
of the 'Recent Match'
-
+
@@ -331,16 +331,16 @@
PPTP
-
+
- Getting help or answers to
- questions
+ Helpers/Helper
+ Modules
Proxy ARP
-
+
@@ -350,7 +350,7 @@
QuickStart
Guides
-
+
@@ -358,7 +358,7 @@
Release Model
-
+
@@ -367,7 +367,7 @@
Requirements
-
+
@@ -376,7 +376,7 @@
Routing and
Shorewall
-
+
@@ -385,7 +385,7 @@
Routing on One
Interface
-
+
@@ -394,7 +394,7 @@
Samba
-
+
@@ -404,7 +404,7 @@
Shorewall
Init
-
+
@@ -414,16 +414,16 @@
Shorewall
Lite
-
+
KVM (Kernel-mode Virtual
Machine)
-
+
-
+
diff --git a/docs/Helpers.xml b/docs/Helpers.xml
new file mode 100644
index 000000000..41be054d8
--- /dev/null
+++ b/docs/Helpers.xml
@@ -0,0 +1,329 @@
+
+
+
+
+
+
+ Netfilter Helpers
+
+
+
+ Tom
+
+ Eastep
+
+
+
+
+
+
+ 2012
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License
.
+
+
+
+
+ Helpers - Introduction
+
+ There are a number of applications that create connections
+ dynamically between a client and server. These connections use temporary
+ TCP or UDP ports, so static configuration of firewall rules to allow those
+ connections would require a very lax firewall configuration. To deal with
+ these problem applications, Netfilter supports the concept of a
+ helper. Each helper monitors traffic to/from the
+ default primary port used by the application and opens the firewall to
+ accept temporary connections created by the primary session.
+
+ There are helpers for the following applications; default ports
+ monitored by each helper are listed in parentheses:
+
+
+
+ Amanda (UDP 10080)
+
+
+
+ FTP (TCP 21)
+
+
+
+ H323 (UDP 1719, TCP 1720)
+
+
+
+ IRC (TCP 6667)
+
+
+
+ Netbios-NS (UDP 137)
+
+
+
+ PPTP (TCP 1729)
+
+
+
+ SANE (TCP 6566)
+
+
+
+ SIP (UDP 5060)
+
+
+
+ SNMP (UDP 161)
+
+
+
+ TFTP (UDP 69)
+
+
+
+
+ Helper Module Loading
+
+ In a modular kernel, each helper is typically packaged as two
+ kernel modules. One module handles connection tracking where NAT isn't
+ involved and the other module handles NAT. For example, the FTP helper
+ consists of these two modules (kernels 2.6.20 and later):
+
+
+
+ nf_conntrack_ftp
+
+
+
+ nf_nat_ftp
+
+
+
+ Note that the naming convention is
+ nf_conntrack_application and
+ nf_nat_application; more about that
+ below.
+
+ The modules are not auto-loaded and must be loaded explicitly
+ using the modprob or insmod
+ utilities.
+
+ Many of the modules allow parameters to be specified when the
+ module is loaded. Among the common parameters is the ports parameter
+ that lists one or more ports that the module is to monitor. This allows
+ running the application on a non-standard port.
+
+
+
+ Iptables and Helpers
+
+ Iptables supports two ways of interacting with modules:
+
+
+
+ Helper Match
+
+
+ This match (-m helper --helper
+ name) allows selection of packets from
+ connections monitored or created by the named helper.
+
+
+
+
+ CT Target
+
+
+ This target (-j CT --helper name
+ ...) , introduced in the 3.4 kernels, allows for explicit
+ association of a helper with a connection.
+
+
+
+
+ It is important to note that the name used in iptables is not
+ always the same as the name in the kernel module. Names used in iptables
+ are shown in the following table:
+
+
+
+
+
+ Name of kernel module
+
+ Name recognized by iptables
+
+
+
+ nf_conntrack_amanda
+
+ amanda
+
+
+
+ nf_conntrack_ftp
+
+ ftp
+
+
+
+ nf_conntrack_h323
+
+ RAS (udp 1719), Q.931 (tcp
+ 1720)
+
+
+
+ nf_conntrack_irc
+
+ irc
+
+
+
+ nf_conntrack_netbios_ns
+
+ netbios-ns
+
+
+
+ nf_conntrack_pptp
+
+ pptp
+
+
+
+ nf_conntrack_sane
+
+ sane
+
+
+
+ nf_conntrack_sip
+
+ sip
+
+
+
+ nf_conntrack_snmp
+
+ snmp
+
+
+
+ nf_conntrack_tftp
+
+ tftp
+
+
+
+
+
+ Netfilter helpers present an opportunity for attackers to attempt
+ to breach your firewall by IP address spoofing; See https://home.regit.org/netfilter-en/secure-use-of-helpers/
+ for a description of the Netfilter facilities available to meet these
+ attacks.
+
+
+
+
+ Shorewall Support for Helpers
+
+ Shorewall includes support for helpers is several areas. These areas
+ are covered in the sections below.
+
+
+ Module Loading
+
+ Shorewall includes support for loading the helper modules as part
+ of its support for loading kernel modules in general. There are several
+ options in shorewall.conf (5) that deal with kernel module
+ loading:
+
+
+
+ MODULESDIR
+
+
+ This option specifies a comma-separated list of directories
+ where Shorewall will look for kernel modules to load.
+
+
+
+
+ MODULE_SUFFIX
+
+
+ Lists the possible suffixes for module names.
+
+
+
+
+ LOAD_HELPERS_ONLY
+
+
+ Controls whether Shorewall should load only the helpers and
+ leave the other modules to the auto-loader. This option
+ dramatically reduces the time to process a shorewall
+ start or shorewall restart
+ command.
+
+
+
+
+ HELPERS
+
+
+ This option was added in Shorewall 4.5.7 and lists the
+ modules to be enabled for association with connections. This
+ option is fully functional only on systems running kernel 3.5 or
+ later. On systems running earlier kernels, the only way to totally
+ disable a module is to not load it. The module names allowed in
+ this list are amanda, ftp, h323,
+ irc, netbios-ns, pptp, sane, sip,
+ snmp and tftp.
+
+
+
+
+ The helper modules to be loaded are listed in the file
+ /usr/share/shorewall/helpers. If you wish to
+ customize that file to load only a subset of the helpers or to specify
+ module parameters, then copy the file to /etc/shorewall/
+ and modify the copy. That way, your changes won't be
+ overwritten the next time that Shorewall is updated on your
+ system.
+
+
+
+ Iptables
+
+ The iptables helper match is supported by Shorewall in the form of
+ the HELPER column in shorewall-tcrules
+ (5).
+
+ The CT target is supported directly in shorewall-conntrack
+ (5).
+
+ In these files, Shorewall supports the same module names as
+ iptables; see the table above.
+
+
+